thanks u

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.

Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.

php has plenty of frameworks

And also possible that simply logging in sends out your password. Good thing I use junk passwords for forums.

how about some beefed up infrastructure with a good firewall, ids, virus etc... etc...?

no way bitcoin is becoming mainstream until, we (as in all of us, open-source anything lovers), take security seriously.

as long as there's an opportunity to create PR damage to bitcoin, it will be done and the only press and info that mainstream folks hear about bitcoin will be negative.

you can hiss at me, say whatever, i don't give a shit about your negative-all-knowing pontification that is coming at this post....

BUT

bitcoin will become mainstream not because of it's technical wow/genius or libertarian fuck-the-government connotations... whatever the hell you want to insert here... BUT only if there is positive PR and good perception with public.

There ain't enough of us here to make it mainstream.  You tell me what non-technical people, when you ask them about bitcoin, tell you?  I bet it's only the negative crap that has been put out BECAUSE of security lapses with peripheral, supporting, indirect bitcoin related services.  Nobody cares that it's not bitcoin suffering directly.  people do not understand the difference...

So, whenever you all (those who are in position to take security-related actions) take this seriously, then maybe bitcoin will have a shot.

Until then, get your pop corn out, every few weeks we will see another nail put into bitcoin "Security"

control the message, control opinion, perception and ultimately reality.

What does not kill bitcoin will make it stronger.

Can we please, please stop using this ultra crappy forum software?  It's horrible from every single standpoint, security included.  Please upgrade to a modern piece of software.  This junk from the early part last decade has REALLY got to go.

Thank you theymos for brining this to our attention. Since there is no practical way to guarantee security, it's nice that you keep us in the loop.

Yea, lastpass application encrypts your passwords before they leave your pc to be stored online through SSL and decrypts them on your pc.

Only you, that have the master password, can access your passwords. Even if some how someone gained access to you password database, it is encrypted.

There is also that thought if your pc has a keylogger, well your screwed for not securing your pc correctly/properly.